Connect with us

Hi, what are you looking for?



Security Vulnerabilities in Baseboard Management Controllers Rampant, Research Finds

Joint research by Rapid7 and an independent security researcher has spotlighted vulnerabilities in embedded technology used to remotely manage servers known as baseboard management controllers [BMCs].

Joint research by Rapid7 and an independent security researcher has spotlighted vulnerabilities in embedded technology used to remotely manage servers known as baseboard management controllers [BMCs].

The Intelligent Platform Management Interface [IPMI] is a server management protocol that runs on the BMC. According to research by Rapid7’s HD Moore and security researcher Dan Farmer, both BMC and IPMI security is being challenged in ways many organizations may not have thought of.

“BMCs are often underappreciated and overlooked during security audits,” blogged Moore, chief security officer at Rapid7. “Like many embedded devices, they tend to respond slowly to tests and have a few non-standard network services in addition to web-based management.”

“The difference between a BMC and say, a printer, is what you get access to once it has been successfully compromised,” he explained. “The BMC has direct access to the motherboard of its host system. This provides the ability to monitor, reboot, and reinstall the host server, with many systems providing interactive KVM access and support for virtual media. In essence, access to the BMC is effectively physical access to the host system. If an attacker can not only login to the BMC, but gain root access to it as well, they may be able to directly access the i2c bus and Super I/O chip of the host system.”

Using a series of network probes sent on UDP port 623, the researchers identified IPMI systems and tested for various vulnerabilities. What they discovered was that roughly 308,000 IPMI-enabled BMCs are exposed to the IPv4 Internet; 195,000 of these devices only support IPMI 1.5, which does not provide any form of encryption; and 113,000 of these devices support IPMI v2.0, which suffers from serious design flaws.

In addition, of the 113,000 that support IPMI specification v2.0, 99,000 were confirmed to expose password hashes, while 53,000 were confirmed to be vulnerable to password bypass due to an encryption method known as Cipher 0 that bypasses the entire authentication process and allows IPMI commands from any source.

“The 53,000 BMCs that allow authentication via Cipher 0 are at immediate risk of compromise,” according to a paper detailing the researchers’ findings.” No exploit code is needed to manipulate these systems as the standard IPMI command-line tools provide the required functionality. An attacker could use the Cipher 0 weakness to configure a backdoor account with administrative privileges. This backdoor could be used to compromise the BMC and the connected server.”

Advertisement. Scroll to continue reading.

The researchers also discovered 35,000 Supermicro BMCs expose an exploitable Universal Plug and Play (UPnP) service and are vulnerable to remote root compromise. An exploit module for this issue has been available in the Metasploit Framework since March. A root compromise of the BMC can lead to disclosure of clear-text passwords and unauthorized access to the connected server, according to the paper.

Large enterprises should ensure that no IPMI-enabled BMCs are exposed to untrusted networks, and steps should be taken to disable Cipher 0 and set complex passwords, according to the paper. Hosting providers should immediately assess their systems and ensure no internal systems have IPMI exposed to the public network. 

“In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys,” blogged Moore. “The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.”

More on their findings can be found here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.